Which? Reviews No advertising, no bias, no hidden agenda

Online banking security: Online banking investigation: our findings

Login process

Halifax online banking

Halifax was rated as poor for its consumer-facing online security measures

Halifax and Abbey were both rated as poor for their consumer-facing online security measures. Both banks were let down by their login process, which asks users to type in information in full.

Halifax asks for three pieces of information to confirm that it is you logging into your account. First, users must enter a username and a password. Then, on the same screen, they are asked to type in full the answer to a rotating security question, such as your father’s first name or the name of your first school. Neither of these answers would necessarily be a secret, which means a dedicated fraudster would find it easy to find out this information.

More worryingly, each entry is typed in full, making the information vulnerable to a simple keylogger. On the plus side, the site obscures what is typed (apart from the first field) to prevent someone from shoulder surfing, should you be using a computer in public.

In contrast, other sites, such as Lloyds TSB’s, ask users to first enter a username and password. But then, on a second screen, customers are asked to use drop-down menus to choose three letters from a self-chosen memorable phrase.

Preventing keyloggers

The aim of using menus rather than the keyboards is to stop simple keyloggers, which read every key pressed, from quickly capturing passwords. Since this third element of the Lloyds TSB login process uses menus, a simple keylogger would fail to steal all your credentials.

The Alliance & Leicester site requests three pieces of information if you have not logged in from the computer you are using before, and two if it believes you have. None of what you type is obscured to prevent shoulder surfing, and each entry is typed in full, making them vulnerable to a simple keylogger.

However, Alliance & Leicester has one additional feature unique among the sites we tested: it presents an image and an associated phrase (previously chosen by the account holder) to help you ensure you are not on a fake website.

PINSentry device

Barclays

Barclays customers are asked to log in using its PINSentry device, which generates a random password every time you log in to your account. If you log in without the PINSentry, you have to enter four pieces of information (more than any other website we looked at). 

This includes a five-digit passcode and two characters from a memorable word, and also uses drop-down menus, which makes the site impervious to a simple keylogger.

In our expert’s view, this bank’s checks far outstrip those used by the other banks we looked at, providing excellent controls against fraudsters.

Automatic log-out

Barclays was also one of the banks, along with First Direct, Nationwide, NatWest and the Royal Bank of Scotland (RBS), that immediately logs you out if you browse to another site. This handy security feature means you can’t forget to log out and allow someone else to take over on your computer.

In comparison, customers of Abbey, Alliance & Leicester, and Halifax are not immediately logged out if they browse to another site, use the browser back button or close a browser tab, leaving them vulnerable on a shared computer if they forget to log out (although the sites say you will be logged out after 10 minutes).

Money transfers

Once a fraudster has gained access to your online bank account, the likelihood is that they will steal your money. But there were differences in how well you would be protected should a fraudster gain entry to your account.

Abbey, First Direct, Halifax and HSBC have no additional controls for money transfers, so if your banking session is hijacked the criminal could simply enter the amount they want to transfer out of your account and press enter.

Alliance & Leicester and Lloyds TSB ask customers to enter two characters from their passwords in order to transfer money or change their address. Our expert felt this provided reassuring additional security.

Barclays, Nationwide, RBS and Natwest only allow you to transfer money using a card reader and your bank card. These banks provide maximum security. Barclays customers who don’t have their PINsentry device can’t transfer money.

Online banking fraud prevention

Online banking security

One in four people have been the victim of financial fraud

Which? research found that one in four people have been the victim of financial fraud – of which one in six never get the full amount back.

Experts we spoke to for this investigation told us that there is variation in how good banks are at blocking and reversing fraudulent transactions. Criminals know this and will target the banks that are bad at these measures.

We were unable to find out which banks are worse than others at spotting fraud. Figures show that online banking fraud losses have increased, but numbers for individual banks are never released.

The banks themselves are unwilling to share their details either. A spokesman from HSBC told us: ‘We can’t give details on our fraud prevention experience, other than to note that HSBC is under-represented in UK online fraud statistics [that is, we have a proportionally lower experience of successful fraud against our customers compared with the industry].’

Internet banking security behind the scenes

The banks argue that it’s the security measures you can’t see that are more important than the processes we’ve checked. But experts who have asked to test the hidden security measures have been refused access.

Steven Murdoch, researcher in the Security Group in Cambridge University, said: ‘Cambridge tests bank systems, but we are limited in what we can do because we can’t attack banks’ infrastructures. We have asked banks if we can test their systems, but they have refused.’

Steven Murdoch acted as an expert witness on the Job vs Halifax case, where the bank turned down Alain Job’s request for a refund of more than £2,000 of cash withdrawals that he claimed he had never made. Barrister Stephen Mason, who represented Job and is a banking technology specialist, said: ‘Of course online banking is not secure. It requires the customer to have a better computers and better security than the Pentagon.’

Murdoch added: ‘Your report highlights the fact that there is variation in banks and that’s very useful to know, because when there’s competition it’s good for customers.’